Albandrod's Memory

Object Deletions in Entra ID

Differences between soft and hard deletion, and how to use Entra audit logs written by M365 Copilot

albandrod
5 minutes
, ,

The following post has been written by M365 Word Copilot

Introduction

Entra ID is a cloud-based identity and access management platform that allows users to manage their digital identities, access rights, and credentials across multiple applications and services. Entra ID also provides audit logs that record the activities and events related to the users, groups, roles, and policies in the system.

One of the features of Entra ID is the ability to delete objects, such as users, groups, roles, and policies, from the system. However, there are two types of deletion in Entra ID: soft deletion and hard deletion. These types have different implications for the availability, recovery, and auditing of the deleted objects. This document will explain the differences between soft and hard deletion, and how to use Entra audit logs to keep track of object deletion in Entra ID.

Soft Deletion

Soft deletion is the default type of deletion in Entra ID. When an object is soft deleted, it is not permanently removed from the system, but rather marked as deleted and hidden from the user interface and the API. Soft deleted objects can still be accessed by the system administrators, and can be restored to their original state if needed. Soft deleted objects also retain their relationships and dependencies with other objects in the system.

Soft deletion is useful for scenarios where the deletion of an object is temporary, accidental, or reversible. For example, a user might be soft deleted when they leave the organization temporarily, but might be restored when they return. A group might be soft deleted when it is no longer needed, but might be restored if it is required again. A policy might be soft deleted when it is updated, but might be restored if the update causes issues.

Hard Deletion

Hard deletion is an optional type of deletion in Entra ID. When an object is hard deleted, it is permanently removed from the system, and cannot be accessed or restored by anyone. Hard deleted objects also lose their relationships and dependencies with other objects in the system, and might cause errors or inconsistencies if they are referenced by other objects.

Hard deletion is useful for scenarios where the deletion of an object is permanent, intentional, or irreversible. For example, a user might be hard deleted when they leave the organization permanently, and their data and access rights need to be erased. A group might be hard deleted when it is no longer relevant, and its members and policies need to be reassigned. A policy might be hard deleted when it is obsolete, and its rules and conditions need to be removed.

Recover soft-deleted objects in Microsoft 365

Not all objects within Microsoft Entra ID support soft deletion. Here’s a breakdown of soft deletion supported items and their respective recovery methods. 

Supported Objects Recovery Methods 
Users, Microsoft 365 Groups (not security and distribution groups), Application registrations Microsoft Entra admin center or  Microsoft Graph API 
Service principals, Administrative units Microsoft Graph API 

Restore a deleted user in M365 with Graph API

To restore a deleted user using Microsoft Graph, run the Restore-MgDirectoryDeletedItem cmdlet and pass the account’s identifier.   

Restore a deleted M365 Group with Graph API

Restore-MgDirectoryDeletedItem -DirectoryObjectId $directoryObjectId 

Restore a Deleted Application Registration 

Restore-MgDirectoryDeletedItem cmdlet -DirectoryObjectId $directoryObjectId  

Restore a Deleted Service Principal 

First we need additional permissions: Connect-MgGraph –Scopes “Application.ReadWrite.All” 

Restore-MgDirectoryDeletedItem -DirectoryObjectId $directoryObjectId 

Restore a Deleted Administrative Unit 

First we need additional permissions: Connect-MgGraph –Scopes ” AdministrativeUnit.ReadWrite.All” 

Restore-MgDirectoryDeletedItem -DirectoryObjectId $directoryObjectId 

Entra Audit Logs

Entra audit logs are a feature of Entra ID that records the activities and events related to the objects in the system. Entra audit logs can be used to monitor, audit, and troubleshoot the actions and changes that occur in the system, such as creation, modification, and deletion of objects. Entra audit logs can also be used to track the history and status of the objects in the system, such as who created, modified, or deleted them, when, and why.

Entra audit logs can be accessed by the system administrators through the user interface or the API. Entra audit logs can be filtered, sorted, and searched by various criteria, such as object type, object name, action type, action date, and action user. Entra audit logs can also be exported, downloaded, or integrated with external tools and systems for further analysis and reporting.

Entra audit logs can be used to keep track of object deletion in Entra ID, whether it is soft or hard deletion. Entra audit logs will record the type of deletion, the object that was deleted, the user who performed the deletion, and the date and time of the deletion. Entra audit logs will also record the status of the deleted object, such as whether it is hidden, restored, or removed. Entra audit logs can help the system administrators to verify, audit, and troubleshoot the deletion of objects in Entra ID, and to recover or correct any errors or issues that might arise from the deletion.

Conclusion

Object deletion is a feature of Entra ID that allows users to manage their digital identities, access rights, and credentials across multiple applications and services. However, there are two types of deletion in Entra ID: soft deletion and hard deletion. These types have different implications for the availability, recovery, and auditing of the deleted objects.

To minimize the risk of unwanted hard deletions, organizations should implement proactive measures. Some of the essential strategies include, 

  • Regularly reviewing soft-deleted items 
  • Defining specific criteria for restoration 
  • Delegate roles for evaluation and restoration tasks 

Entra audit logs are a feature of Entra ID that records the activities and events related to the objects in the system, and can be used to keep track of object deletion in Entra ID. This document explained the differences between soft and hard deletion, and how to use Entra audit logs to monitor, audit, and troubleshoot object deletion in Entra ID.

Leave a comment

Trending